Spooked by a speaking security camera? Polite hacker tells owner how to fix his IoT security

5 months ago

3 Min Read

If it was late at night and you were out in your back yard, and you heard an unknown voice coming from inside your house – how would you feel?

My guess is that you would feel pretty spooked, especially if you knew there was no-one in your house.

Well, just a few weeks ago that’s what happened to Phoenix real estate agent Andy Gregg. And his initial petrified thought was that he had an intruder in his home.

Well, the truth was that he did have a type of intruder – but not one who had physically entered his home. You see the person who had broken their way into Gregg’s home was a Canadian hacker – whose voice was being broadcast through a Nest security camera.

Gregg had the quick wits to record what happened next on his smartphone, and described his experience to the Arizona Republic.

The “white hat” hacker, who claimed to be part of a group calling itself the “Anonymous Calgary Mindhive”, said it hadn’t been hard for him to hijack control of Gregg’s Nest security camera.

“We don’t have any malicious intent, but I’m just here to kind of let you know so that no one else, like any black-hat hackers, follow. There are so many malicious things somebody could do with this.”

Gregg had made the mistake of using the same password to “secure” his IoT camera as he had used in online accounts. Like so many others, Gregg hadn’t recognised the danger of reusing login credentials and when a breach occurred at an online site, his login and password were leaked into the public domain.

And whereas many maliciously-minded hackers might have used the details to break into Gregg’s email account, seize control of his Facebook profile, or order goods on Amazon, this particular intruder used the details to log into Gregg’s camera instead.

For years security experts have advocated that users should enable 2SV or two-factor authentication on their online accounts, and that advice is just as wise for IoT devices.

With an additional level of authentication in place, it should be much harder for hackers to gain access to your internet-enabled devices – even if they have managed to gain access to your password.

Gregg told the Arizona Republic that he has taken the polite Canadian hacker’s advice to heart, changed his passwords, and unplugged the camera.

But, as a real estate agent, Gregg has given IoT cameras to his clients as gifts in the past. He wonders how many of them may have set them up as insecurely as he did:

“I have a ton of clients in real estate that use these things to watch their kids. They’ll watch their living rooms, they’ll keep them all over the house for their protection. But these hackers can go in there, and if they can watch your kids while they’re sleeping or changing, just think of what they can do with that.”

Smart devices and IoT gadgets appeal to the geek in all of us, and can make our lives run more smoothly – but we all need to be careful to follow best practices to ensure that they don’t bring unwelcome visitors into our homes.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.